If you happen to intercept PGP communication between two people, there's no password in the world that can decrypt it. The password (or passphrase) only unlocks the secret key, which is actually needed to decrypt the communication. If you don't have the secret key, your options for recovering the encrypted content are mathematically tantamount to nil. If you do have someone's secret key file, that person did something very wrong and stupid. The proper thing for that person to do when there's reason to believe their secret key is compromised: revoke the key, and tell everyone that the key has been compromised! I cover some of this in my GPG Key Management & Signing Article. Some Cloud Crack™ was being smoked by someone, as the crackers had access to the secret key, which shouldn't ever happen.

It doesn't always cost millions of dollars for CPU cycles.

Ages ago, my friend Bob had distributed.net agents running on 90% of the lab computers at the college he attended. These were all fairly new computers, too. Have physical access to 100 computers? You can probably spawn 100 instances of EDPR. For free. As in free beer. Okay, free beer plus the cost of the EDPR entitlements.

Plain old CPU cycles are so '90s. These days, we have the ability to harness compute power of FPGAs, and thanks to things like the CUDA architecture, Graphics Processing Units (GPUs) as well. These technologies take traditional CPU cycle density and cost paradigms and turn them inside out. It doesn't come cheap, but it's surprisingly affordable, more efficient, and denser than building racks of x86 machines. The author spoke of a corporate espionage scenario, with budgets of around $1M to compromise a competitor's data. $1M would go a very long way with FPGA or CUDA technology.

Finally, there's the black-hat side. Botnet zombies are cheap. Spammers, scammers, and malware tycoons know this. If you have some skills, free time and lack a moral compass, you can roll your own botnet or hijack someone else's botnet zombies for free. Again, as in free beer. Don't think it happens? Don't kid yourself.

Brute Forcing is real

While brute force doesn't work against PGP in a perfect world, it does work almost anywhere a password is involved, and the numbers don't lie. An attack like this against an encrypted TrueCrypt volume, for example, would be bone-chilling if it succeeded. Normal "protected" zip files, documents, and accounts are vulnerable, and there are multiple tools to brute force almost any kind of password.

Longer is better, for the most part

Long, simple passphrases win out over short, complex passwords when it comes to brute force. Still, if you use something that's easy to guess, like the first sentence of the book currently marked as your favorite on some social networking site, you might be in trouble. The ways you choose, guard, and use your passwords are parts of a very complex problem that not even the best in the industry can agree on a solution for. Good luck with that.

If you happen to intercept PGP communication between two people, there's no password in the world that can decrypt it. The password (or passphrase) only unlocks the secret key, which is actually needed to decrypt the communication. If you don't have the secret key, your options for recovering the encrypted content are mathematically tantamount to nil. If you do have someone's secret key file, that person did something very wrong and stupid. The proper thing for that person to do when there's reason to believe their secret key is compromised: revoke the key, and tell everyone that the key has been compromised! I cover some of this in my GPG Key Management & Signing Article. Some Cloud Crack™ was being smoked by someone, as the crackers had access to the secret key, which shouldn't ever happen.

It doesn't always cost millions of dollars for CPU cycles.

Ages ago, my friend Bob had distributed.net agents running on 90% of the lab computers at the college he attended. These were all fairly new computers, too. Have physical access to 100 computers? You can probably spawn 100 instances of EDPR. For free. As in free beer. Okay, free beer plus the cost of the EDPR entitlements.

Plain old CPU cycles are so '90s. These days, we have the ability to harness compute power of FPGAs, and thanks to things like the CUDA architecture, Graphics Processing Units (GPUs) as well. These technologies take traditional CPU cycle density and cost paradigms and turn them inside out. It doesn't come cheap, but it's surprisingly affordable, more efficient, and denser than building racks of x86 machines. The author spoke of a corporate espionage scenario, with budgets of around $1M to compromise a competitor's data. $1M would go a very long way with FPGA or CUDA technology.

Finally, there's the black-hat side. Botnet zombies are cheap. Spammers, scammers, and malware tycoons know this. If you have some skills, free time and lack a moral compass, you can roll your own botnet or hijack someone else's botnet zombies for free. Again, as in free beer. Don't think it happens? Don't kid yourself.

Brute Forcing is real

While brute force doesn't work against PGP in a perfect world, it does work almost anywhere a password is involved, and the numbers don't lie. An attack like this against an encrypted TrueCrypt volume, for example, would be bone-chilling if it succeeded. Normal "protected" zip files, documents, and accounts are vulnerable, and there are multiple tools to brute force almost any kind of password.

Longer is better, for the most part

Long, simple passphrases win out over short, complex passwords when it comes to brute force. Still, if you use something that's easy to guess, like the first sentence of the book currently marked as your favorite on some social networking site, you might be in trouble. The ways you choose, guard, and use your passwords are parts of a very complex problem that not even the best in the industry can agree on a solution for. Good luck with that.

HiR Featured Columns

HiR Tools

HiR Categories

About HiR

HiR is what happens when 1990s-era e-Zine writers decide to form a blog. Most of us hail from the Great Plains region of the United States.

Ax0n, HiR founder and editor-in-chief is an information security specialist currently working in the luxury goods industry.

Asmodian X joined HiR in December 1997 and currently works as a web developer and SysAdmin in the education industry.

Frogman has been on board since May 1998 and has many technical passions. When not experimenting with obscure hardware, he can be found leaping from one rooftop to the next, making the world his office.

TMiB has also been helping since 1998. Also our resident Physicist and go-to guy for xkcd jokes we don't get, The Man in Black currently works in the Internet industry in an east-coast data center.